New York’s Department of Financial Services Cybersecurity regulation became effective March 1. According to the press release issued with the regulation, the regulation is intended to require banks, insurance companies and "covered entities" to "establish and maintain a cybersecurity program designed to protect consumers' private data and ensure the safety and soundness of New York State's financial services industry.” This regulation is the first of its kind in the U.S, and will likely serve as a model to other states looking to address cybersecurity.
The regulation requires all covered entities to meet minimum cybersecurity requirements to protect networks and customer data and outlines reporting requirements for breaches. It has been estimated that over sixty percent of all breaches originate with third-party vendors. In an attempt to get at this vulnerability, the regulation also requires that the banks, insurance companies and other businesses that fall under this regulation assess their third-party vendors to ensure they meet certain cybersecurity requirements. If you are a vendor providing goods and services to an entity covered by the new regulation, now is the time to assess your organization’s compliance to ensure you remain a vendor of choice for your clients.
As part of the regulation, firms must certify annual assessments and compliance, although some experts complain this requirement is not nearly rigorous enough to keep pace with the speed of developing risks. If you are a covered entity or provide goods or services to a covered entity, take note that general assessments are not enough to comply with the new regulation – each entity must have its own risk assessment done and mitigation plan targeted at those specific, identified risks. Compliance certifications will be due beginning in 2018.